AnthonyQ 42 Posted August 18, 2022 Share Posted August 18, 2022 Hi, I've recently submitted several samples to ESET via email, but they haven't been detected. Sample 1: https://www.virustotal.com/gui/file/7750749daa1ad5c1de9144b4e4a4430b647dcaea8e68bf2f34da81e1ae19f567 Sample 2: https://www.virustotal.com/gui/file/b318662824bcd550e8a3161a184b4e7f9dc1265c82ac6cb565bfcd53ac834c26 (it will try to disable UAC during installation) Sample 3: https://www.virustotal.com/gui/file/785e9b07fc8ed60165bccab77cd09e1a7991ce1c54c6afb58a9d4d37b76e69e0 Sample 4: https://www.virustotal.com/gui/file/69b8b968c8f68670ed353f2f4752b2af092d4a19a92c1bc235b293fa0b188bd4 Sample 5: https://www.virustotal.com/gui/file/bf4ed8d5dc017a7346f7981ce4db8156c1b76b0cd6f9a37394378371fb548870 Please take a look at them and add proper detection. Anthony Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 18, 2022 Share Posted August 18, 2022 Eset detects sample 3 as FlyStudio. The samples not detected that are most concerning are 4 and 5 which have 20+ detection's at VT. Sample 1 appears to be a hacktool. Link to comment Share on other sites More sharing options...
Nevermind 8 Posted August 18, 2022 Share Posted August 18, 2022 (edited) 20 minutes ago, itman said: Sample 1 appears to be a hacktool. Unless you qualify hacktool as a silent installation of Remote Admin, creating new windows users and sending your network properties to some Chinese email address I wouldnt call it a hacktool Edited August 18, 2022 by Nevermind Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 18, 2022 Share Posted August 18, 2022 18 minutes ago, Nevermind said: Unless you qualify hacktool as a silent installation of Remote Admin, creating new windows users and sending your network properties to some Chinese email address I wouldnt call it a hacktool My posting was based on VT detection comment noting Github YARA sig. detection. VT analysis shows no outbound connection to known malicious C&C servers from the .msi installer. However, it appears there might be a malicious Excel macro embedded in the .msi installer based on outbound network traffic detection's from the macro. However, detection score is 10/71. Link to comment Share on other sites More sharing options...
azeu666 2 Posted August 18, 2022 Share Posted August 18, 2022 (edited) My previous post was hidden.- Example: https://www.virustotal.com/gui/file/9f6b0cb35a1fe1c455248de5a6eeb9c26500d0269bbf20f8b876736416cf6320?nocache=1 Another example: https://www.virustotal.com/gui/file/1aaf4de53354804892f469dc81af5c889c575c931852cfa7f07b2313c54196b6?nocache=1 Edited August 18, 2022 by azeu666 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 18, 2022 Administrators Share Posted August 18, 2022 2 hours ago, azeu666 said: My previous post was hidden.- Example: https://www.virustotal.com/gui/file/9f6b0cb35a1fe1c455248de5a6eeb9c26500d0269bbf20f8b876736416cf6320?nocache=1 This one is corrupted, ie. not subject to detection. 2 hours ago, azeu666 said: Another example: https://www.virustotal.com/gui/file/1aaf4de53354804892f469dc81af5c889c575c931852cfa7f07b2313c54196b6?nocache=1 Already detected (VirusTotal will show it detected in 2-3 hours): 1aaf4de53354804892f469dc81af5c889c575c931852cfa7f07b2313c54196b6.exe - a variant of MSIL/GenKryptik.FYZX trojan Moreover, this one was detected upon execution by an older version with more than 2 year old modules and without Internet connection: Link to comment Share on other sites More sharing options...
azeu666 2 Posted August 19, 2022 Share Posted August 19, 2022 (edited) I use Endpoint Antivirus for Linux with its inherent limitations (no Pico updates) not Eset Internet Security. When I scanned the two files with the existing detection engine, the two malware files were not detected. Also, when I used: https://opentip.kaspersky.com/ and ClamAv using the Yara rule set from open source- https://www.reversinglabs.com/products/open-source-yara-rules There was no issue in detecting the so-called "This one is corrupted, ie. not subject to detection." Edited August 19, 2022 by azeu666 Link to comment Share on other sites More sharing options...
azeu666 2 Posted August 19, 2022 Share Posted August 19, 2022 My apologies I forget add that we use www.securiteinfo.com (Pro) integrated with ClamAv as well. Link to comment Share on other sites More sharing options...
AnthonyQ 42 Posted August 21, 2022 Author Share Posted August 21, 2022 Another two samples were submitted, but I did not get a reply, and no detection was added. Sample 1: https://www.virustotal.com/gui/file/4e9ea62b43f207f6bbe7780c4d5258d946de7d31d32975950491897999579c84 Sample 2: https://www.virustotal.com/gui/file/26fcb0b2ee87c249d282c9c922b66b8a5a97d4af19938fa533858bf11913c63b Also, as I haven't received any reply from ESET Lab since early August, I would like to know whether ESET Lab can actually receive my email submission. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 21, 2022 Share Posted August 21, 2022 14 hours ago, AnthonyQ said: Also, as I haven't received any reply from ESET Lab since early August, I would like to know whether ESET Lab can actually receive my email submission. Verify; using tracert, etc., you can reach the below listed domains/IP addresses. Assumed is if you can reach one, you can reach all. Link to comment Share on other sites More sharing options...
AnthonyQ 42 Posted August 21, 2022 Author Share Posted August 21, 2022 1 hour ago, itman said: Verify; using tracert, etc., you can reach the below listed domains/IP addresses. Assumed is if you can reach one, you can reach all. I submitted samples via email, not in-product submission system. Btw, these two samples are still not detected… Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 21, 2022 Share Posted August 21, 2022 (edited) 34 minutes ago, AnthonyQ said: I submitted samples via email, not in-product submission system. Are you using G-mail to do so? If this is the case, refer to this posting: https://forum.eset.com/topic/32997-submit-samples-with-gmail/#comment-153347 . BTW - you should be aware of this G-mail issue since you commented in this thread. If you are not using G-mail for submission, ensure your e-mail request conforms to the following criteria: https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab?ref=esf Edited August 21, 2022 by itman Link to comment Share on other sites More sharing options...
AnthonyQ 42 Posted August 21, 2022 Author Share Posted August 21, 2022 29 minutes ago, itman said: Are you using G-mail to do so? If this is the case, refer to this posting: https://forum.eset.com/topic/32997-submit-samples-with-gmail/#comment-153347 . BTW - you should be aware of this G-mail issue since you commented in this thread. If you are not using G-mail for submission, ensure your e-mail request conforms to the following criteria: https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab?ref=esf No, I use Outlook mail, the same one I signed up for in this forum. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 21, 2022 Share Posted August 21, 2022 (edited) 2 hours ago, AnthonyQ said: No, I use Outlook mail, the same one I signed up for in this forum. Are you sending your e-mail w/sample attached to Eset in plain text format as specified in Eset KB article? Here's how to do so: https://www.lifewire.com/outlook-plain-text-message-1165895 . Edited August 21, 2022 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 76 Posted August 21, 2022 Share Posted August 21, 2022 1 hour ago, itman said: Are you sending your e-mail w/sample attached to Eset in plain text format as specified in Eset KB article? Here's how to do so: https://www.lifewire.com/outlook-plain-text-message-1165895 . He submitted samples many times before and got responses too, more or less, so I'm sure he knows how to send. I don't submit a lot, but even in my experience, it has been extremely bad for a while. I've tried different emails too a few times, but it didn't improve the experience much. Besides, I don't remember ESET ever adding phishing sites to their database that I submitted via that dedicated website. I've stopped submitting samples to ESET to not waste my time. Nowadays, the main way to make ESET add detection is to share VT links here on the forum. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 21, 2022 Administrators Share Posted August 21, 2022 38 minutes ago, SeriousHoax said: I don't remember ESET ever adding phishing sites to their database that I submitted via that dedicated website. Any example please? Of course if you submit a lot of urls, those must be manually reviewed and opened by an analyst to find out if they are indeed phishing and subject to blocking. If you submit one or a few a time, they should be reviewed and possibly blocked relatively quickly (in 1 - 72 hours). Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 21, 2022 Share Posted August 21, 2022 (edited) As far as reporting phishing web sites, that procedure is also noted in the above linked Eset KB article: Quote Submit a fraudulent page (phishing) If you believe you have deliberately and deceitfully discovered a similar page to another, complete this form to notify us. Note that Eset now requires a form to be completed and submitted. Also since the Eset KB article is dated Aug, 10, 2022, it appears that the whole sample submission process has been recently revised. Edited August 21, 2022 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 76 Posted August 26, 2022 Share Posted August 26, 2022 On 8/22/2022 at 1:57 AM, Marcos said: Any example please? Of course if you submit a lot of urls, those must be manually reviewed and opened by an analyst to find out if they are indeed phishing and subject to blocking. If you submit one or a few a time, they should be reviewed and possibly blocked relatively quickly (in 1 - 72 hours). I can only say what I experience myself. Talking about malware submission experience, I sent this sample to ESET more than 2 weeks ago on 12 August but neither I have heard back nor a signature has been created yet. LiveGuard gave it a safe verdict, but it's not safe. If possible, please improve the processing of samples submitted by users. VT link of the sample: VirusTotal - File - d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd peteyt 1 Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 26, 2022 Share Posted August 26, 2022 (edited) 6 hours ago, SeriousHoax said: VT link of the sample: VirusTotal - File - d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd Here's the Hybrid-Analysis analysis of it: https://www.hybrid-analysis.com/sample/d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd?environmentId=120 . It creates a Python based keylogger. It is also VM aware. As such, I am not surprised Eset doesn't detect it. Edited August 26, 2022 by itman Link to comment Share on other sites More sharing options...
Nevermind 8 Posted August 26, 2022 Share Posted August 26, 2022 6 hours ago, SeriousHoax said: I can only say what I experience myself. Talking about malware submission experience, I sent this sample to ESET more than 2 weeks ago on 12 August but neither I have heard back nor a signature has been created yet. LiveGuard gave it a safe verdict, but it's not safe. This happens when there is ulimited access to a sample queue processed entirely by real ppl Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 26, 2022 Administrators Share Posted August 26, 2022 24 minutes ago, Nevermind said: Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already. Correct. The said Python installer sample has been analyzed for several hours already and the analysis is still ongoing and will likely be eventually detected when finished. Link to comment Share on other sites More sharing options...
SeriousHoax 76 Posted August 26, 2022 Share Posted August 26, 2022 2 hours ago, itman said: Here's the Hybrid-Analysis analysis of it: https://www.hybrid-analysis.com/sample/d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd?environmentId=120 . It creates a Python based keylogger. It is also VM aware. As such, I am not surprised Eset doesn't detect it. Yeah, it needs to be analyzed manually. 40 minutes ago, Nevermind said: This happens when there is ulimited access to a sample queue processed entirely by real ppl Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already. I don't need replies as long as submitted samples get added to the database. Well, I have waited 2 weeks which is long enough. Too long I would say. AnthonyQ, LesRMed and peteyt 3 Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted August 26, 2022 Most Valued Members Share Posted August 26, 2022 2 hours ago, SeriousHoax said: Yeah, it needs to be analyzed manually. I don't need replies as long as submitted samples get added to the database. Well, I have waited 2 weeks which is long enough. Too long I would say. 2 hours ago, Nevermind said: This happens when there is ulimited access to a sample queue processed entirely by real ppl Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already. Yeah the thing is in a world where new viruses appear all the time, while no AV can offer full protection, if a user submits a possible malware it shouldn't take 2 weeks to get detected. If actual malware that could have infected multiple users in the meantime SeriousHoax and LesRMed 2 Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 26, 2022 Share Posted August 26, 2022 (edited) 2 hours ago, Marcos said: The said Python installer sample has been analyzed for several hours already and the analysis is still ongoing and will likely be eventually detected when finished. For me, this sums up the state of malware detection at Eset. You have 32/71 VirusTotal vendors detecting it as malicious; first submission there was 8/14. There is at least one respected public cloud sandbox giving it a 100/100 malicious verdict. Yet, Eset VirusLab after hours of behavior observation can't determine if the sample is malicious. Edited August 26, 2022 by itman SeriousHoax 1 Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 26, 2022 Share Posted August 26, 2022 (edited) Following up on my last posting, I think its time Eset add a new section to Real-time settings titled "Additions." Format for this section would be identical to existing "Detection Exclusions" section with the exception only SHA1 hash value could be entered with no path option specified. Eset real-time scanning would be modified to always check and process entries in "Detection Additions" prior to any other processing. The above would cover a user until Eset got around to detecting a submitted malware sample. Edited August 26, 2022 by itman Link to comment Share on other sites More sharing options...
Recommended Posts